feat: enable fail2ban

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-10-23 21:39:19 +02:00 · 2025-10-23 21:39:19 +02:00 · 86347a68de
commit 86347a68de
parent 49341364a8
4 changed files with 72 additions and 6 deletions
--- a/hosts/servers/hosting-02.nix
+++ b/hosts/servers/hosting-02.nix
@ -1,9 +1,4 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, pkgs, ... }:
 {

  systemd.network.networks."30-wan".addresses = [
@ -23,6 +18,18 @@
    ];
  };

+  services.fail2ban.jails = {
+    # max 6 failures in 600 seconds
+    "nginx-spam" = ''
+      enabled  = true
+      filter   = nginx-bruteforce
+      logpath = /var/log/nginx/access.log
+      backend = auto
+      maxretry = 6
+      findtime = 600
+    '';
+  };
+
  services.namespaced-vpn = {
    enable = true;
    ips = [